This may be an awkward form of Denial Of Service attack. Trying to get services to delete accounts for people who withdraw their authorization?
The emails appear legit, the users are replying with positive confirmation of account deletion. I have not found out which product or service is generating these emails yet.
It is the same one, for all messages, and none of them are actual users of our services. I received also legitimate requests, but with different wording.
I went through the motions of using this deseat.me service.
All I have to do is give this third party my login credentials for gmail ... what could possibly go wrong
Don't get me wrong, I think it's a pretty good idea, and I do like the way it finds likely candidates in your email history ... but think about a service that "protects your privacy" ... so long as you give it your credentials first.
It also promotes another service, Ctrlpanel, which will manage strong & unique passwords, for sites & apps that you want to keep using.
On the password, well they claim to be using Oauth (haven't tested yet, this is from their documentation),so they would not see the password itself.
We would authenticate and authorize against our mail provider, to allow this service access to the mailbox, which they then scan to sift out which services we might be using, and send the notifications. Also the question what would we exactly authorize (at least view full data, and act on our behalf ? ), and what happens with the permissions afterwards. Does the service de-authorize itself, once done, or do we need to do this ?
Apart from authorizing access, this scanning part could yield other data about us, to that service.
On a similar topic, this is automation on a scale, and I wonder how equipped ( on the process automation side ) are the companies to deal with potential amount of data. This could be a sort of "DDoS" on backend processes.
I tried it earlier today, after granting the service access to my gmail account, it found about 25 services / sites / apps ... and invited me to accept, delete (add to queue for delete) or mark invalid.
The google account permissions persisted after the service had run ... but I did have the option to remove the access from the "Apps with access to your account" pane on myaccount.google.com/permissions
Thank you for confirming.
The questions that arise in my mind are the following :
1. How many average users are aware of this (we do not count) - that permissions remain, and you need to remove them manually ?
2. Depending on the acceptable usage policy, quite a lot of people use corporate email also for private purposes. If such a email service is cloud hosted, someone might permit access (to a 3rd party), to corporate data.
To the second point, think of all the apps that have the "Sign in with..." option, this is basically the same...
The number of requests started to increase yesterday, still none of them valid. I wonder whether I can ignore these, as there is no data for these customers kept in the database.